HTML tag can not filter XSS
MyKings opened this issue · comments
Input text box, enter the following:
http://www.example.com/<script>alert(document.cookie)</script>
Here is the test code, click preview trigger : )
<!DOCTYPE html>
<head>
<meta charset="UTF-8">
<title>editor</title>
</head>
<link href="/static/css/bootstrap.min.css" rel="stylesheet">
<link href="/static/css/bootstrap-markdown-editor.css" rel="stylesheet">
<script src="/static/js/jquery-1.7.2.min.js"></script>
<script src="/static/js/bootstrap.min.js"></script>
<script src="/static/js/ace.js"></script>
<script src="/static/js/bootstrap-markdown-editor.js"></script>
<body>
<div id="myEditor" name="myEditor">http://www.example.com/<script>alert(document.cookie)</script></div>
<script language="javascript">
$('#myEditor').markdownEditor({
preview: true,
onPreview: function (content, callback) {
$('#myEditor').html(content);
}
});
</script>
</body>
</html>
It depends of the markdown parser. The example in this repository uses the javascript library Marked to parse the markdown to html only as demonstration.
You should use a server-side parser with the filters you need.